April 04, 2013

Automated Telephony Denial of Service (TDoS) Attack Basics

I am going to write a series of posts on Telephony Denial of Service (TDoS). I thought I would start with a brief description of how attackers actually generate automated TDoS attacks. I will follow up with other techniques, info about the impact to enterprises, and how they can detect and mitgate the attacks.

The bottom line is that TDoS attacks have become cheap and easy to implement. The barrier to entry is much lower, due to the availability of VoIP, SIP, and UC. The 5 basic steps to execute a TDoS attack are as follows:

First, it is easy to get and set up free and powerful IP PBX software such as Asterisk. Asterisk has all the capabilities you will ever need to generate a TDoS attack. You also need a call generator or way to use Asterisk to generate calls. One such tool is "spitter", which SecureLogix wrote a while back for the Hacking Exposed: VoIP book. We are updating this tool as we speak for a revision to the book. You can get the current version from the SecureLogix SIP Testing Tools website as part of a set of VoIP testing tools.

Second, you need to determine the numbers you want to call. This is trivial. There has been a lot of discussion about attacks against 911 services. What could be easier than this - everyone knows the target number - it is always 911. It is just as easy to target a financial contact center - just go to the website of the target bank or other enterprise and search or browse for their 1-800 numbers. You only need 1 or a few numbers. You can also easily flood administrative parts of an enterprise. You can either discover their DID range or just pick a few numbers, because multiple calls to 1 DID will roll over, still consume trunks, and be answered by voice mail.

Third, you need to pick some audio to play. This could be silence or white noise if you are lazy. If your target is 911, maybe the audio sounds like a legitmate emergency call. If you don't want to use your own voice, google "text to speech" and you will find 100's of services and applications that will convert the text you type into audio that you can use. You can even select the language, dialect, and accent. If you are targeting a financial contact center, maybe you want to tie up an IVR, so you could do a little research on your target and build an audio file that just loops through the menus. Or perhaps it flies through the menus to get to the agent, where you play some sort of audio that keeps the agent on the line as long as possible.

Fourth, it is easy to get VoIP/SIP access into the public voice network. In the old days, you would need an expensive PBX and PRI access into the network in order to generate calls. Now you just need Asterisk and a SIP trunk. If you google "SIP trunks", you will find 100's of companies that provide an inexpensive way of generating calls. Some of these services are as cheap as $0.01 a call. Remember that the target may or may not be using SIP (odds are they are still using TDM), so you still must traverse the public voice network. SIP trunks are easy to set up and you can be generating calls in a very short amount of time. Of course if you are really serious, you can also scan for vulnerable SIP servers and try to generate your traffic for free. Or you can set yourself up as a service provider. Another somewhat effective approach is to use one of the "legitimate" call generation services. Just google "robocalls" and you will find many services, that for a fee, will generate lots of calls for you.

Finally, you need to run the attack. When you run it is important. For 911 it may not matter, but any time where it is likely there will be a lot of emergencies, perhaps during a storm or in the evening could be more effective. For a financial contact center, do it during the day during peak times, between say 10 am and 2 pm. Monitor the attack - you will be able to tell if it is effective if the calls being generated are failing.

Comments

Mark,
We have been involved in assisting the 911 industry for some time now, and look to other industry professionals such as you for information that can help provide guidance. Your column states “For 911 it may not matter, but any time where it is likely there will be a lot of emergencies, perhaps during a storm or in the evening could be more effective” is reckless at best and borders on recommending criminal activity. TDoS attacks on 911 services places the Public Safety Answering Points (PSAP’s) and the ability to respond to actual emergencies at great risk.